CVE-2026-12846
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
The GV-I/O Box 4E is an embedded smart device that is vulnerable to stack overflow due to improper handling of UDP messages. An attacker can send a specially crafted message, potentially leading to unauthorized access or device failure.
Risk Assessment
This vulnerability poses a risk to network security as any user on the network can send messages to the DVRSearch service, which may lead to device takeover or destabilization.
Recommendation
It is recommended to block access to port 10001 on the firewall and update the device firmware to mitigate this vulnerability.
Original NVD description (English source)
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### Net Mask field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v6 = strlen(g_network_config->net_mask); memcpy(&reply_buf[184], g_network_config->net_mask, v6);

